Amazon Web Service (AWS)

NAT Gateway

NAT Gateway is an Amazon Network Address Translation (NAT) service that allows you to connect instances in a private network to external services outside your VPC, while those services can’t initiate a connection to those instances.
NAT Gateway
  • allocation_id - (Optional) The Allocation ID of the Elastic IP address for the gateway. Required for connectivity_type of public.
  • connectivity_type - (Optional) Connectivity type for the gateway. Valid values are private and public. Defaults to public.
  • subnet_id - (Required) The Subnet ID of the subnet in which to place the gateway.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Associating resources with a
NAT Gateway
Resources do not "belong" to a
NAT Gateway
Rather, one or more Security Groups are associated to a resource.
NAT Gateway
via Terraform:
The following HCL creates a public NAT gateway in the specified subnet and associates the Elastic IP address with the specified allocation ID. When you create a public NAT gateway, you must associate an Elastic IP address

resource "aws_nat_gateway" "example" {
 allocation_id =
 subnet_id     =

 tags = {
   Name = "gw NAT"

 # To ensure proper ordering, it is recommended to add an explicit dependency
 # on the Internet Gateway for the VPC.
 depends_on = [aws_internet_gateway.example]

NAT Gateway
via CLI:

[--allocation-id <value>]
[--client-token <value>]
[--dry-run | --no-dry-run]
--subnet-id <value>
[--tag-specifications <value>]
[--connectivity-type <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws ec2 create-nat-gateway \
   --subnet-id subnet-0250c25a1fEXAMPLE \
   --allocation-id eipalloc-09ad461b0dEXAMPLE

Best Practices for
NAT Gateway

Categorized by Availability, Security & Compliance and Cost

NAT Gateway changes alarm
Unused NAT Resources
Explore all the rules our platform covers
All Resources